[PATCH mtd-utils] misc-utils: fix integer overflow in ftl_check.c
Zhihao Cheng
chengzhihao1 at huawei.com
Wed Dec 18 19:58:28 PST 2024
在 2024/12/18 18:34, Anton Moryakov 写道:
> Report of the static analyzer:
> An integer overflow may occur due to arithmetic operation (multiplication) between variable 'nbam' and value '4' of 'sizeof(u_int)', when 'nbam' is in range
>
> Corrections explained:
> Avoid arithmetic overflow that could cause an incorrect amount of memory to be allocated.
> Handle memory allocation errors (malloc).
> The code is robust and safe for large nbam values.
>
> Triggers found by static analyzer Svace.
>
> Signed-off-by: Anton Moryakov <ant.v.moryakov at gmail.com>
>
> ---
> misc-utils/ftl_check.c | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/misc-utils/ftl_check.c b/misc-utils/ftl_check.c
> index 5b2dae5..fe43a24 100644
> --- a/misc-utils/ftl_check.c
> +++ b/misc-utils/ftl_check.c
> @@ -120,8 +120,17 @@ static void check_partition(int fd)
>
> /* Create basic block allocation table for control blocks */
> nbam = (mtd.erasesize >> hdr.BlockSize);
The 'mtd.erasesize' won't be a large number in fact, so I think the
overflow checking is not really needed.
> + if (nbam > SIZE_MAX / sizeof(u_int)) {
> + fprintf(stderr, "Error: nbam value too large, potential overflow detected.\n");
> + free(bam);
> + return;
> + }
> bam = malloc(nbam * sizeof(u_int));
>
> + if (!bam) {
> + perror("malloc failed");
> + return;
> + }
I'm fine with the check of 'bam', just put the blank line(in front of
'if (!bam)') before the for-loop.
> for (i = 0; i < le16_to_cpu(hdr.NumEraseUnits); i++) {
> if (lseek(fd, (i << hdr.EraseUnitSize), SEEK_SET) == -1) {
> perror("seek failed");
>
More information about the linux-mtd
mailing list